From d4921ba22f5ae4537d808986743a228617c86328 Mon Sep 17 00:00:00 2001 From: Arne Schwabe Date: Mon, 27 May 2024 15:02:41 +0200 Subject: [PATCH] Properly handle null bytes and invalid characters in control messages MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit This makes OpenVPN more picky in accepting control message in two aspects: - Characters are checked in the whole buffer and not until the first NUL byte - if the message contains invalid characters, we no longer continue evaluating a fixed up version of the message but rather stop processing it completely. Previously it was possible to get invalid characters to end up in log files or on a terminal. This also prepares the logic a bit in the direction of having a proper framing of control messages separated by null bytes instead of relying on the TLS framing for that. All OpenVPN implementations write the 0 bytes between control commands. This patch also include several improvement suggestion from Reynir (thanks!). CVE: 2024-5594 Reported-By: Reynir Björnsson Change-Id: I0d926f910637dabc89bf5fa919dc6beef1eb46d9 Signed-off-by: Arne Schwabe Acked-by: Antonio Quartulli Message-Id: <20240619103004.56460-1-gert@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28791.html Signed-off-by: Gert Doering (cherry picked from commit 414f428fa29694090ec4c46b10a8aba419c85659) --- src/openvpn/buffer.c | 17 +++++++ src/openvpn/buffer.h | 25 ++++++++++ src/openvpn/forward.c | 105 ++++++++++++++++++++++++++++-------------- 3 files changed, 112 insertions(+), 35 deletions(-) diff --git a/src/openvpn/buffer.c b/src/openvpn/buffer.c index e422ab7ce..15e54a195 100644 --- a/src/openvpn/buffer.c +++ b/src/openvpn/buffer.c @@ -1085,6 +1085,23 @@ string_mod(char *str, const unsigned int inclusive, const unsigned int exclusive return ret; } +bool +string_check_buf(struct buffer *buf, const unsigned int inclusive, const unsigned int exclusive) +{ + ASSERT(buf); + + for (int i = 0; i < BLEN(buf); i++) + { + char c = BSTR(buf)[i]; + + if (!char_inc_exc(c, inclusive, exclusive)) + { + return false; + } + } + return true; +} + const char * string_mod_const(const char *str, const unsigned int inclusive, diff --git a/src/openvpn/buffer.h b/src/openvpn/buffer.h index 94d63b7f9..94f970d2b 100644 --- a/src/openvpn/buffer.h +++ b/src/openvpn/buffer.h @@ -933,6 +933,31 @@ bool string_class(const char *str, const unsigned int inclusive, const unsigned bool string_mod(char *str, const unsigned int inclusive, const unsigned int exclusive, const char replace); +/** + * Check a buffer if it only consists of allowed characters. + * + * @param buf The buffer to be checked. + * @param inclusive The character classes that are allowed. + * @param exclusive Character classes that are not allowed even if they are also in inclusive. + * @return True if the string consists only of allowed characters, false otherwise. + */ +bool +string_check_buf(struct buffer *buf, const unsigned int inclusive, const unsigned int exclusive); + +/** + * Returns a copy of a string with certain classes of characters of it replaced with a specified + * character. + * + * If replace is 0, characters are skipped instead of replaced. + * + * @param str The input string to be modified. + * @param inclusive Character classes not to be replaced. + * @param exclusive Character classes to be replaced even if they are also in inclusive. + * @param replace The character to replace the specified character classes with. + * @param gc The garbage collector arena to allocate memory from. + * + * @return The modified string with characters replaced within the specified range. + */ const char *string_mod_const(const char *str, const unsigned int inclusive, const unsigned int exclusive, diff --git a/src/openvpn/forward.c b/src/openvpn/forward.c index de7cafded..404b71c84 100644 --- a/src/openvpn/forward.c +++ b/src/openvpn/forward.c @@ -184,6 +184,43 @@ check_tls_errors_nco(struct context *c) #if P2MP +static void +parse_incoming_control_channel_command(struct context *c, struct buffer *buf) +{ + if (buf_string_match_head_str(buf, "AUTH_FAILED")) + { + receive_auth_failed(c, buf); + } + else if (buf_string_match_head_str(buf, "PUSH_")) + { + incoming_push_message(c, buf); + } + else if (buf_string_match_head_str(buf, "RESTART")) + { + server_pushed_signal(c, buf, true, 7); + } + else if (buf_string_match_head_str(buf, "HALT")) + { + server_pushed_signal(c, buf, false, 4); + } + else if (buf_string_match_head_str(buf, "INFO_PRE")) + { + server_pushed_info(c, buf, 8); + } + else if (buf_string_match_head_str(buf, "INFO")) + { + server_pushed_info(c, buf, 4); + } + else if (buf_string_match_head_str(buf, "CR_RESPONSE")) + { + receive_cr_response(c, buf); + } + else + { + msg(D_PUSH_ERRORS, "WARNING: Received unknown control message: %s", BSTR(buf)); + } +} + /* * Handle incoming configuration * messages on the control channel. @@ -199,43 +236,41 @@ check_incoming_control_channel(struct context *c) struct buffer buf = alloc_buf_gc(len, &gc); if (tls_rec_payload(c->c2.tls_multi, &buf)) { - /* force null termination of message */ - buf_null_terminate(&buf); - - /* enforce character class restrictions */ - string_mod(BSTR(&buf), CC_PRINT, CC_CRLF, 0); - if (buf_string_match_head_str(&buf, "AUTH_FAILED")) - { - receive_auth_failed(c, &buf); - } - else if (buf_string_match_head_str(&buf, "PUSH_")) - { - incoming_push_message(c, &buf); - } - else if (buf_string_match_head_str(&buf, "RESTART")) - { - server_pushed_signal(c, &buf, true, 7); - } - else if (buf_string_match_head_str(&buf, "HALT")) - { - server_pushed_signal(c, &buf, false, 4); - } - else if (buf_string_match_head_str(&buf, "INFO_PRE")) - { - server_pushed_info(c, &buf, 8); - } - else if (buf_string_match_head_str(&buf, "INFO")) + while (BLEN(&buf) > 1) { - server_pushed_info(c, &buf, 4); - } - else if (buf_string_match_head_str(&buf, "CR_RESPONSE")) - { - receive_cr_response(c, &buf); - } - else - { - msg(D_PUSH_ERRORS, "WARNING: Received unknown control message: %s", BSTR(&buf)); + /* commands on the control channel are seperated by 0x00 bytes. + * cmdlen does not include the 0 byte of the string */ + int cmdlen = (int)strnlen(BSTR(&buf), BLEN(&buf)); + + if (cmdlen < BLEN(&buf)) + { + /* include the NUL byte and ensure NUL termination */ + int cmdlen = (int)strlen(BSTR(&buf)) + 1; + + /* Construct a buffer that only holds the current command and + * its closing NUL byte */ + struct buffer cmdbuf = alloc_buf_gc(cmdlen, &gc); + buf_write(&cmdbuf, BPTR(&buf), cmdlen); + + /* check we have only printable characters or null byte in the + * command string and no newlines */ + if (!string_check_buf(&buf, CC_PRINT | CC_NULL, CC_CRLF)) + { + msg(D_PUSH_ERRORS, "WARNING: Received control with invalid characters: %s", + format_hex(BPTR(&buf), BLEN(&buf), 256, &gc)); + } + else + { + parse_incoming_control_channel_command(c, &cmdbuf); + } + } + else + { + msg(D_PUSH_ERRORS, "WARNING: Ignoring control channel " + "message command without NUL termination"); + } + buf_advance(&buf, cmdlen); } } else -- 2.47.2